Cloud  Computing 


The  answer,  my  friend,  is  blowing  in  the  wind. 
The  answer  is  blowing  in  the  wind. 
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Objectives 


•  Define  the  cloud 

•  Risks  of  cloud  computing 

•  Essence  of  cloud  computing 

•  Deployed  clouds  in  DoD 
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Definitions  of  Cloud  Computing 

Cloud  computing  is  a  model  for  enabling 
ubiquitous,  convenient,  on-demand  network 
access  to  a  shared  pool  of  configurable  computing 
resources  (e.g.,  networks,  servers,  storage, 
applications,  and  services)  that  can  be  rapidly 
provisioned  and  released  with  minimal 
management  effort  or  service  provider  interaction. 

(This  definition  is  from  the  latest  draft  of  the  NIST 
Working  Definition  of  cloud  computing  published  by  the 
U.S.  Government's  National  Institute  of  Standards  and 
Technology) 

NIST  Cloud  Computing  page  at 
http://csrc.nist.gov/groups/SNS/cloud-computing/ 
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CLOUD  COMPUTING  -  WORKING  DEFINITION 


Cloud  computing  is  an  on-demand  service 
model  for  IT  provision i,  often  based  on 
virtualization  and  distributed  computing 
technologies.  Cloud  computing  architectures 
have: 

—  highly  abstracted  resources 

—  near  instant  scalability  and  flexibility 

—  near  instantaneous  provisioning 

—  shared  resources  (hardware,  database,  memory, 
etc) 

—  'service  on  demand',  usually  with  a  'pay  as  you 
go'  billing  system 

—  programmatic  management 
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So  -  what  is  a  working  definition  of 

Cloud  Computing? 

The  interesting  thing  about  cloud  computing  is  that  we've 
redefined  cloud  computing  to  include  everything  that  we 
already  do. ...  I  don't  understand  what  we  would  do 
differently  in  the  light  of  cloud  computing  other  than 
change  the  wording  of  some  of  our  ads. 

Larry  Ellison ,  co-founder  and  CEO  of  Oracle,  quoted  in  the  Wall 
Street  Journal,  September  26,  2008 
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Another  view 


A  lot  of  people  are  jumping  on  the  [cloud]  bandwagon, 
but  I  have  not  heard  two  people  say  the  same  thing  about 
it.  There  are  multiple  definitions  out  there  of  "the  cloud." 

Andy  Isherwood,  Vice  President  and  General  Manager  of  HP 
Software  and  Solutions,  quoted  in  ZDnet  News,  December  11, 
2008 
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...and  another  view 


It's  stupidity.  It's  worse  than  stupidity:  it's  a  marketing  hype 
campaign.  Somebody  is  saying  this  is  inevitable  —  and 
whenever  you  hear  somebody  saying  that,  it's  very  likely  to 
be  a  set  of  businesses  campaigning  to  make  it  true. 

Richard  Stallman,  founder  of  the  GNU  project  and  the  Free 
Software  Foundation,  quoted  in  The  Guardian,  September  29, 

2008 

Richard  Stallman,  known  for  his  advocacy  of  "free  software",  thinks  cloud  computing  is 
a  trap  for  users— if  applications  and  data  are  managed  "in  the  cloud",  users  might 
become  dependent  on  proprietary  systems  whose  costs  will  escalate  or  whose  terms 
of  service  might  be  changed  unilaterally  and  adversely. 
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Open  Cloud  Manifesto 


http://www.opencloudmanifesto.org/ 

Open%20doud%2QManifesto.pdf 

We  as  industry  participants  must  work  together  to 
ensure  that  the  cloud  remains  as  open  as  all  other  IT 
technologies.  Some  might  argue  that  it  is  too  early  to 
discuss  topics  such  as  standards,  interoperability, 
integration  and  portability.  Although  this  is  a  time  of 
great  innovation  for  the  cloud  computing  community, 
that  innovation  should  be  guided  by  the  principles  of 
openness  outlined  in  this  document.  We  argue  that  it 
exactly  the  right  time  to  begin  the  work  to  build  the 
open  cloud. 
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What  the  Cloud  is 


The  NIST  definition  of  cloud  computing  defines  three  delivery  models: 

•  Software  as  a  Service  (SaaS):  The  consumer  uses  an  application,  but 
does  not  control  the  operating  system,  hardware  or  network  infrastructure 
on  which  it's  running. 

•  Platform  as  a  Service  (PaaS):  The  consumer  uses  a  hosting  environment 
for  their  applications.  The  consumer  controls  the  applications  that  run  in  the 
environment  (and  possibly  has  some  control  over  the  hosting  environment), 
but  does  not  control  the  operating  system,  hardware  or  network 
infrastructure  on  which  they  are  running.  The  platform  is  typically  an 
application  framework. 

•  Infrastructure  as  a  Service  (laaS):  The  consumer  uses  "fundamental 
computing  resources"  such  as  processing  power,  storage,  networking 
components  or  middleware.  The  consumer  can  control  the  operating 
system,  storage,  deployed  applications  and  possibly  networking. 

NIST  Cloud  Computing  page  at 
http://csrc.nist.gov/groups/SNS/cloud-computing/ 
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Four  Deployment  Models 

Public  cloud:  In  simple  terms,  public  cloud  services  are  characterized  as  being 
available  to  clients  from  a  third  party  service  provider  via  the  Internet.  The  term 
"public"  does  not  always  mean  free,  even  though  it  can  be  free  or  fairly 
inexpensive  to  use.  A  public  cloud  does  not  mean  that  a  user's  data  is  publically 
visible;  public  cloud  vendors  typically  provide  an  access  control  mechanism  for 
their  users.  Public  clouds  provide  an  elastic,  cost  effective  means  to  deploy 
solutions. 

Private  cloud:  A  private  cloud  offers  many  of  the  benefits  of  a  public  cloud 
computing  environment,  such  as  being  elastic  and  service  based.  The  difference 
between  a  private  cloud  and  a  public  cloud  is  that  in  a  private  cloud-based 
service,  data  and  processes  are  managed  within  the  organization  without  the 
restrictions  of  network  bandwidth,  security  exposures  and  legal  requirements 
that  using  public  cloud  services  might  entail.  In  addition,  private  cloud  services 
offer  the  provider  and  the  user  greater  control  of  the  cloud  infrastructure, 
improving  security  and  resiliency  because  user  access  and  the  networks  used 
are  restricted  and  designated. 
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Four  Deployment  Models 

Community  cloud:  A  community  cloud  is  controlled  and  used  by  a 
group  of  organizations  that  have  shared  interests,  such  as  specific 
security  requirements  or  a  common  mission.  The  members  of  the 
community  share  access  to  the  data  and  applications  in  the  cloud. 

Hybrid  cloud:  A  hybrid  cloud  is  a  combination  of  a  public  and 
private  cloud  that  interoperates.  In  this  model  users  typically 
outsource  non-business  critical  information  and  processing  to  the 
public  cloud,  while  keeping  business-critical  services  and  data  in 
their  control. 
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NIST  -  Essential  Cloud  Characteristics 


Rapid  Elasticity:  Elasticity  is  defined  as  the  ability  to  scale  resources  both  up  and 
down  as  needed.  To  the  consumer,  the  cloud  appears  to  be  infinite,  and  the 
consumer  can  purchase  as  much  or  as  little  computing  power  as  they  need.  This  is 
one  of  the  essential  characteristics  of  cloud  computing  in  the  NIST  definition. 

Measured  Service:  In  a  measured  service,  aspects  of  the  cloud  service  are  controlled 
and  monitored  by  the  cloud  provider.  This  is  crucial  for  billing,  access  control, 
resource  optimization,  capacity  planning  and  other  tasks. 

On-Demand  Self-Service:  The  on-demand  and  self-service  aspects  of  cloud 
computing  mean  that  a  consumer  can  use  cloud  services  as  needed  without  any 
human  interaction  with  the  cloud  provider. 

Ubiquitous  Network  Access:  Ubiquitous  network  access  means  that  the  cloud 
provider's  capabilities  are  available  over  the  network  and  can  be  accessed  through 
standard  mechanisms  by  both  thick  and  thin  clients. 

Resource  Pooling:  Resource  pooling  allows  a  cloud  provider  to  serve  its  consumers 
via  a  multi-tenant  model.  Physical  and  virtual  resources  are  assigned  and 
reassigned  according  to  consumer  demand.  There  is  a  sense  of  location 
independence  in  that  the  customer  generally  has  no  control  or  knowledge  over 
the  exact  location  of  the  provided  resources  but  may  be  able  to  specify  location  at 
a  higher  level  of  abstraction  (e.g.  country,  state,  or  datacenter). 
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Right  Sizing  must  be  RIGHT 


Computational 

Storage 

Transport 

Redundancy,  Criticality 


Studies  show  that  with  proper  management, 
companies  can  save  18%  of  their  IT  budget 
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Risks 

•  The  risks  of  using  cloud  computing  should  be 
compared  to  the  risks  of  staying  with  traditional 
solutions,  such  as: 

-  Desktop-based  models 
—  Client-Server  models 

•  ALL  platforms  have  a  risk  of  failure.  You  need  to 
recognize  the  new  risks  of  clouds. 

•  There  are  HUGE  IT  personnel  issues,  along  with 
changes  in  procurement  and  equipment. 
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Cloud  Security  is  your  biggest  risk! 


There  is  a  potential  for  a  new  paradigm  in 
network  security.  No  more  Maginot  Line 
Defense! 

Move  from  passive  defense  (firewalls,  etc)  to 
active  defense. 

—  If  instance  of  cloud  is  under  attack. 

•  Move  to  another  cloud  and  create  a  VPN  load  with  new 
IPs  to  terminal. 
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Security  Risks  (continued) 


This  class  of  risks  includes  the  failure  of 
mechanisms  separating  storage ,  memory,  and 
routing  between  different  tenants  of  the 
shared  infrastructure  (e.g.,  so-called  guest¬ 
hopping  attacks,  SQL  injection  attacks 
exposing  multiple  customers'  data  stored  in 
the  same  table,  and  side  channel  attacks). 


Bingue  -  Cook  Cloud  Computing  STSC  2010 


17 


Security  Risks  (continued) 


The  risk  of  "insider  malicious  intent"  now 
spreads  not  only  to  YOUR  employees,  but  also 
to  all  employees  of  the  cloud. 


Sniffing,  spoofing,  man-in-the-middle  attacks, 
side  channel  and  replay  attacks  should  be 
considered  as  possible  threat  sources. 
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Security  Risks  (continued) 


Cloud  computing,  being  a  distributed 
architecture,  implies  more  data  in  transit  than 
traditional  infrastructures.  For  example,  data 
must  be  transferred  in  order  to  synchronize 
multiple  distributed  machine  images,  images 
distributed  across  multiple  physical  machines, 
between  cloud  infrastructure  and  remote  web 
clients,  etc.  Furthermore,  most  use  of  data-center 
hosting  is  implemented  using  a  secure  VPN-like 
connection  environment,  a  practice  not  always 
followed  in  the  cloud  context. 


Bingue  -  Cook  Cloud  Computing  STSC  2010 


19 


Cloud  Availability  is  the  second  biggest  risk! 


•  Any  interruption  or  corruption  in  the  chain  or  a 
lack  of  coordination  of  responsibilities  between 
all  the  parties  involved  can  lead  to  losses  due  to 
failure  to  meet  customer  demand,  violation  of 
SLA,  cascading  service  failure,  etc. 

—  Unavailability  of  services 

-  Loss  of  data  confidentiality 

-  Integrity  issues 

—  Availability  issues 
—  Economic  cascading  failures 

-  Loss  of  reputation 
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Availability  Risks  (continued) 


Oct,  2009 

—  T-Mobile  wrote  to  customers  that  "personal  information 
stored  on  your  [mobile]  device-such  as  contacts,  calendar 
entries,  to-do  lists  or  photos-that  is  no  longer  on  your 
Sidekick  almost  certainly  has  been  lost  as  a  result  of  a 
server  failure  at  Microsoft/Danger." 

Sept  2009 

-  the  SaaS  startup  Workday,  which  has  about  100  customers 
using  its  cloud-based  human  resources,  payroll,  and 
financial  applications,  had  a  15-hour  outage  on  Sept.  24.  In 
this  case,  the  back-up  system  in  place  worked— it  detected 
a  corrupted  storage  node— but  then  it  took  itself  offline." 

It  is  ironic  that  the  redundant  backup  to  a  system  with 
built-in  redundancy  caused  the  failure. 


Bingue  -  Cook  Cloud  Computing  STSC  2010 


21 


Risk  Summary 


You  now  have  risks  as  both  the  developer  and  the 
customer  (consumer) 

Your  access  to  the  cloud  is  your  lifeline.  Sever  the 
connection,  and  you  have  NO  access  to  your  data 
or  processing  platforms. 

Do  not  progress  to  the  cloud  until  you  have  a 
clear  and  organized  plan  on  how  to  handle, 
manage,  and  mitigate  the  inherent  cloud¬ 
computing  risks. 
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The  DoD  is  already  moving  to  clouds 


DISA  —RACE  "RAPID  ACCESS  COMPUTING  ENVIRONMENT" 

-  With  RACE,  you  can  customize,  purchase,  and  receive  your 
platform  within  24  hours.  You  can  now  order  RACE 
Development,  Test,  and  Production  virtual  environments 
to  support  your  life  cycle  requirement. 

AF  IBM  cloud 

-  support  defense  and  intelligence  networks 

-  10-month  project  will  utilize  IBM's  "stream  computing," 
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RACE 


Offers  You  the  Pole  Position  in  Road-Tested  and  Secure 

Developmental  and  User  Testing:  Computing  Environment: 


DECC  standard  platforms 
Developed  under  DoD  IA  standards 


24-hour  provisioning 
Online  self-service 

Credit  card  or  MIPR  payment  options 
Month-to-month  service 
Capacity  on  demand 
No  annual  maintenance  fees 
No  capital  investment  required 
Pay  only  for  what  you  need 
365/24/7  service  desk  support 
Costs  per  month/image 


NIPR  connectivity 

Multiple  virtual  configurations  available:  1 
4  CPU,  1-8  GB  memory,  60  GB  of  storage 
operating  environment 

Your  choice  of  operating  environments: 
•MS  Windows 
•Red  Hat  Linux 
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SADIE  (US  Navy's  SPAWAR  Systems  Command  Architecture  Development  and 
Integration  Environment)  provides  participating  DoD  program  managers  and  architects 
a  secure,  web-based,  DoDAF  2.0  compliant  architectural  product  development  and 
integration  environment.  Its  suite  of  applications  facilitates  development  of  DoDAF  2.0 
standard  protocols  and  profiles  to  unify  management  of  data  centric  architectures. 
SADIE's  configuration  enables  intuitive  administration  of  heterogeneous  architectural 
frameworks  in  a  collaborative  environment  regardless  of  location.  SADIE  delivers  an 
infrastructure  of  resources  to  seamlessly  aggregate  architecture  development  and 
project  management.  With  SADIE's  enterprise-wide  structure,  programs  realize 
significant  cost  savings  by  providing  a  virtual,  service-oriented  capability  for  DoDAF  2.0 
architecture  development. 

Website:  https://sadie.spawar.navy.mil 
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Clouds  For  Tactical  Environment 


Advantages  are  transparent  (with  correct 
setup)  redundancy  of  data  and  processing 

Local  instance  can  have  real-time  mirror  in  the 
cloud. 

—  If  network  connection  is  lost  tactical  information 
can  still  be  processed. 

—  If  instance  is  disabled  then  another  instance  can 
continue  processing. 
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Conclusions 

For  cloud  computing  to  reach 
the  full  potential  promised  by 
the  technology,  it  must  offer 
solid  Information  Security 

IS  cannot  be  organized  AFTER 
the  move.  You  must  organize 
and  plan  NOW 

You  CANNOT  delegate  away 
the  risks  of  any  technology 

The  cloud  is  here  now  -  so 
plan  accordingly 


Our 
estimate 
in  five 
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In  summary... 


...so  many  things  I  would  have  done, 
but  clouds  got  in  my  way. 


I've  looked  at  clouds  from  both  sides  now. 
From  up  and  down,  and  still  somehow 
It's  cloud  illusions  I  recall. 

I  really  don't  know  clouds,  at  all. 
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CATBERT:  EVIL  DIRECTOR 
OF  HUMAN  RESOURCES 


I'M  GETTING  REPORTS 
THAT  YOUR  MORALE 
IS  TOO  HIGH. 
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HAPPINESS  IS 
NATURE'S  WAY  OF 
INFORMING  HUMAN 
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Y0UJRE  OVERPAID, 


NATURE 
WANTS 
ME  TO  BE 
UNHAPPY? 


DON'T 
BLAME  ME. 
GO  YELL 
AT  THE 
CLOUDS. 
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